diff --git a/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.1.json b/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.1.json new file mode 100755 index 000000000..67c6f2bfc --- /dev/null +++ b/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.1.json @@ -0,0 +1,15 @@ +{ + "name": "containerAllowPrivilegeEscalationIsTrue", + "file": "containerAllowPrivilegeEscalationIsTrue.rego", + "template_args": { + "is_init": false, + "prefix": "", + "resource_type": "kubernetes_cron_job", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of privileged containers", + "reference_id": "accurics.kubernetes.IAM.1", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.10.json b/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.10.json new file mode 100755 index 000000000..a35290bd8 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.10.json @@ -0,0 +1,15 @@ +{ + "name": "containerAllowPrivilegeEscalationIsTrue", + "file": "containerAllowPrivilegeEscalationIsTrue.rego", + "template_args": { + "is_init": true, + "prefix": "", + "resource_type": "kubernetes_daemonset", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of privileged containers", + "reference_id": "accurics.kubernetes.IAM.10", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.11.json b/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.11.json new file mode 100755 index 000000000..20daabb4a --- /dev/null +++ b/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.11.json @@ -0,0 +1,15 @@ +{ + "name": "containerAllowPrivilegeEscalationIsTrue", + "file": "containerAllowPrivilegeEscalationIsTrue.rego", + "template_args": { + "is_init": true, + "prefix": "", + "resource_type": "kubernetes_deployment", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of privileged containers", + "reference_id": "accurics.kubernetes.IAM.11", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.12.json b/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.12.json new file mode 100755 index 000000000..735ac4231 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.12.json @@ -0,0 +1,15 @@ +{ + "name": "containerAllowPrivilegeEscalationIsTrue", + "file": "containerAllowPrivilegeEscalationIsTrue.rego", + "template_args": { + "is_init": true, + "prefix": "", + "resource_type": "kubernetes_job", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of privileged containers", + "reference_id": "accurics.kubernetes.IAM.12", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.13.json b/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.13.json new file mode 100755 index 000000000..a3a80376f --- /dev/null +++ b/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.13.json @@ -0,0 +1,15 @@ +{ + "name": "containerAllowPrivilegeEscalationIsTrue", + "file": "containerAllowPrivilegeEscalationIsTrue.rego", + "template_args": { + "is_init": true, + "prefix": "", + "resource_type": "kubernetes_pod", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of privileged containers", + "reference_id": "accurics.kubernetes.IAM.13", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.14.json b/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.14.json new file mode 100755 index 000000000..482583e32 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.14.json @@ -0,0 +1,15 @@ +{ + "name": "containerAllowPrivilegeEscalationIsTrue", + "file": "containerAllowPrivilegeEscalationIsTrue.rego", + "template_args": { + "is_init": true, + "prefix": "", + "resource_type": "kubernetes_replicaset", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of privileged containers", + "reference_id": "accurics.kubernetes.IAM.14", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.15.json b/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.15.json new file mode 100755 index 000000000..28a8ca56e --- /dev/null +++ b/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.15.json @@ -0,0 +1,15 @@ +{ + "name": "containerAllowPrivilegeEscalationIsTrue", + "file": "containerAllowPrivilegeEscalationIsTrue.rego", + "template_args": { + "is_init": true, + "prefix": "", + "resource_type": "kubernetes_replication_controller", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of privileged containers", + "reference_id": "accurics.kubernetes.IAM.15", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.16.json b/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.16.json new file mode 100755 index 000000000..70024174a --- /dev/null +++ b/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.16.json @@ -0,0 +1,15 @@ +{ + "name": "containerAllowPrivilegeEscalationIsTrue", + "file": "containerAllowPrivilegeEscalationIsTrue.rego", + "template_args": { + "is_init": true, + "prefix": "", + "resource_type": "kubernetes_stateful_set", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of privileged containers", + "reference_id": "accurics.kubernetes.IAM.16", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.2.json b/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.2.json new file mode 100755 index 000000000..c4aed2689 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.2.json @@ -0,0 +1,15 @@ +{ + "name": "containerAllowPrivilegeEscalationIsTrue", + "file": "containerAllowPrivilegeEscalationIsTrue.rego", + "template_args": { + "is_init": false, + "prefix": "", + "resource_type": "kubernetes_daemonset", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of privileged containers", + "reference_id": "accurics.kubernetes.IAM.2", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.3.json b/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.3.json new file mode 100755 index 000000000..57dd15783 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.3.json @@ -0,0 +1,15 @@ +{ + "name": "containerAllowPrivilegeEscalationIsTrue", + "file": "containerAllowPrivilegeEscalationIsTrue.rego", + "template_args": { + "is_init": false, + "prefix": "", + "resource_type": "kubernetes_deployment", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of privileged containers", + "reference_id": "accurics.kubernetes.IAM.3", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.4.json b/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.4.json new file mode 100755 index 000000000..b3664f12a --- /dev/null +++ b/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.4.json @@ -0,0 +1,15 @@ +{ + "name": "containerAllowPrivilegeEscalationIsTrue", + "file": "containerAllowPrivilegeEscalationIsTrue.rego", + "template_args": { + "is_init": false, + "prefix": "", + "resource_type": "kubernetes_job", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of privileged containers", + "reference_id": "accurics.kubernetes.IAM.4", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.5.json b/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.5.json new file mode 100755 index 000000000..fac379f18 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.5.json @@ -0,0 +1,15 @@ +{ + "name": "containerAllowPrivilegeEscalationIsTrue", + "file": "containerAllowPrivilegeEscalationIsTrue.rego", + "template_args": { + "is_init": false, + "prefix": "", + "resource_type": "kubernetes_pod", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of privileged containers", + "reference_id": "accurics.kubernetes.IAM.5", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.6.json b/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.6.json new file mode 100755 index 000000000..8f045acd4 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.6.json @@ -0,0 +1,15 @@ +{ + "name": "containerAllowPrivilegeEscalationIsTrue", + "file": "containerAllowPrivilegeEscalationIsTrue.rego", + "template_args": { + "is_init": false, + "prefix": "", + "resource_type": "kubernetes_replicaset", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of privileged containers", + "reference_id": "accurics.kubernetes.IAM.6", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.7.json b/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.7.json new file mode 100755 index 000000000..b53736de9 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.7.json @@ -0,0 +1,15 @@ +{ + "name": "containerAllowPrivilegeEscalationIsTrue", + "file": "containerAllowPrivilegeEscalationIsTrue.rego", + "template_args": { + "is_init": false, + "prefix": "", + "resource_type": "kubernetes_replication_controller", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of privileged containers", + "reference_id": "accurics.kubernetes.IAM.7", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.8.json b/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.8.json new file mode 100755 index 000000000..937f29dae --- /dev/null +++ b/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.8.json @@ -0,0 +1,15 @@ +{ + "name": "containerAllowPrivilegeEscalationIsTrue", + "file": "containerAllowPrivilegeEscalationIsTrue.rego", + "template_args": { + "is_init": false, + "prefix": "", + "resource_type": "kubernetes_stateful_set", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of privileged containers", + "reference_id": "accurics.kubernetes.IAM.8", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.9.json b/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.9.json new file mode 100755 index 000000000..747b9c24f --- /dev/null +++ b/pkg/policies/opa/rego/k8s/allow_privilege_escalation/accurics.kubernetes.IAM.9.json @@ -0,0 +1,15 @@ +{ + "name": "containerAllowPrivilegeEscalationIsTrue", + "file": "containerAllowPrivilegeEscalationIsTrue.rego", + "template_args": { + "is_init": true, + "prefix": "", + "resource_type": "kubernetes_cron_job", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of privileged containers", + "reference_id": "accurics.kubernetes.IAM.9", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/allow_privilege_escalation/containerAllowPrivilegeEscalationIsTrue.rego b/pkg/policies/opa/rego/k8s/allow_privilege_escalation/containerAllowPrivilegeEscalationIsTrue.rego new file mode 100644 index 000000000..9214a4e46 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/allow_privilege_escalation/containerAllowPrivilegeEscalationIsTrue.rego @@ -0,0 +1,111 @@ +package accurics + +{{- if eq .is_init true}} + +{{.prefix}}{{.name}}{{.suffix}}[api.id] { + {{- template "initContainersSecurityContext" . }} + initContainersSecurityContext.allowPrivilegeEscalation == true +} + +{{.prefix}}{{.name}}{{.suffix}}[api.id] { + {{- template "initContainersSecurityContextTF" . }} + initContainersSecurityContextTF.allow_privilege_escalation == true +} + +{{- else}} + +{{.prefix}}{{.name}}{{.suffix}}[api.id] { + {{- template "containersSecurityContext" . }} + containersSecurityContext.allowPrivilegeEscalation == true +} + +{{.prefix}}{{.name}}{{.suffix}}[api.id] { + {{- template "containersSecurityContextTF" . }} + containersSecurityContextTF.allow_privilege_escalation == true +} + +{{- end}} + + +################################## +### Template definitions below ### +################################## +{{- define "api" }} + api = input.{{.resource_type}}[_] +{{- end}} + +# resolves path to the spec key +{{- define "spec" }} + {{- template "api" . }} + {{- if eq .resource_type "kubernetes_pod" }} + spec = api.config.spec + {{- else if eq .resource_type "kubernetes_pod_security_policy" }} + spec = api.config.spec + {{- else if eq .resource_type "kubernetes_cron_job" }} + spec = api.config.spec.jobTemplate.spec.template.spec + {{- else }} + spec = api.config.spec.template.spec + {{- end }} +{{- end }} + +# resolves path to the spec key for terraform-defined k8s resources +{{- define "specTF" }} + {{- template "api" . }} + {{- if eq .resource_type "kubernetes_pod" }} + specTF = api.config.spec + {{- else if eq .resource_type "kubernetes_pod_security_policy" }} + specTF = api.config.spec + {{- else if eq .resource_type "kubernetes_cron_job" }} + specTF = api.config.spec.job_template.spec.template.spec + {{- else }} + specTF = api.config.spec.template.spec + {{- end }} +{{- end }} + +# resolves path to the containers list +{{- define "containers" }} + {{- template "spec" . }} + containers = spec.containers[_] +{{- end }} + +# resolves path to the containers' security context +{{- define "containersSecurityContext" }} + {{- template "containers" . }} + containersSecurityContext = containers.securityContext +{{- end }} + +# resolves path to the containers list for terraform-defined k8s resources +{{- define "containersTF" }} + {{- template "specTF" . }} + containers = specTF.containers[_] +{{- end }} + +# resolves path to the containers' security context for terraform-defined k8s resources +{{- define "containersSecurityContextTF" }} + {{- template "containersTF" . }} + containersSecurityContextTF = containers.security_context +{{- end }} + +# resolves path to the initContainers list +{{- define "initContainers" }} + {{- template "spec" . }} + initContainers = spec.initContainers[_] +{{- end }} + +# resolves path to the initContainers' security context +{{- define "initContainersSecurityContext" }} + {{- template "initContainers" . }} + initContainersSecurityContext = initContainers.securityContext +{{- end }} + +# resolves path to the initContainers list for terraform-defined k8s resources +{{- define "initContainersTF" }} + {{- template "specTF" . }} + initContainersTF = specTF.init_containers[_] +{{- end }} + +# resolves path to the initContainers' security context for terraform-defined k8s resources +{{- define "initContainersSecurityContextTF" }} + {{- template "initContainersTF" . }} + initContainersSecurityContextTF = initContainersTF.security_context +{{- end }} diff --git a/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.17.json b/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.17.json new file mode 100755 index 000000000..d6784d39b --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.17.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostIpcIsTrue", + "file": "containerHostIpcIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_cron_job", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host IPC namespace", + "reference_id": "accurics.kubernetes.IAM.17", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.18.json b/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.18.json new file mode 100755 index 000000000..5e23df201 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.18.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostIpcIsTrue", + "file": "containerHostIpcIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_daemonset", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host IPC namespace", + "reference_id": "accurics.kubernetes.IAM.18", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.19.json b/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.19.json new file mode 100755 index 000000000..25be1cca5 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.19.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostIpcIsTrue", + "file": "containerHostIpcIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_deployment", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host IPC namespace", + "reference_id": "accurics.kubernetes.IAM.19", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.20.json b/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.20.json new file mode 100755 index 000000000..3751215d2 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.20.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostIpcIsTrue", + "file": "containerHostIpcIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_job", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host IPC namespace", + "reference_id": "accurics.kubernetes.IAM.20", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.21.json b/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.21.json new file mode 100755 index 000000000..c00434152 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.21.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostIpcIsTrue", + "file": "containerHostIpcIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_pod", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host IPC namespace", + "reference_id": "accurics.kubernetes.IAM.21", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.22.json b/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.22.json new file mode 100755 index 000000000..06fc43eab --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.22.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostIpcIsTrue", + "file": "containerHostIpcIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_replicaset", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host IPC namespace", + "reference_id": "accurics.kubernetes.IAM.22", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.23.json b/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.23.json new file mode 100755 index 000000000..db23b17cb --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.23.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostIpcIsTrue", + "file": "containerHostIpcIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_replication_controller", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host IPC namespace", + "reference_id": "accurics.kubernetes.IAM.23", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.24.json b/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.24.json new file mode 100755 index 000000000..6c119bef6 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.24.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostIpcIsTrue", + "file": "containerHostIpcIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_stateful_set", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host IPC namespace", + "reference_id": "accurics.kubernetes.IAM.24", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.33.json b/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.33.json new file mode 100755 index 000000000..f4e3df468 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.33.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostIpcIsTrue", + "file": "containerHostIpcIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_cron_job", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host IPC namespace", + "reference_id": "accurics.kubernetes.IAM.33", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.34.json b/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.34.json new file mode 100755 index 000000000..16b2d4f90 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.34.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostIpcIsTrue", + "file": "containerHostIpcIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_daemonset", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host IPC namespace", + "reference_id": "accurics.kubernetes.IAM.34", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.35.json b/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.35.json new file mode 100755 index 000000000..d2f1ed5ff --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.35.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostIpcIsTrue", + "file": "containerHostIpcIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_deployment", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host IPC namespace", + "reference_id": "accurics.kubernetes.IAM.35", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.36.json b/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.36.json new file mode 100755 index 000000000..ef7d08217 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.36.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostIpcIsTrue", + "file": "containerHostIpcIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_job", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host IPC namespace", + "reference_id": "accurics.kubernetes.IAM.36", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.37.json b/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.37.json new file mode 100755 index 000000000..c1b66cf5c --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.37.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostIpcIsTrue", + "file": "containerHostIpcIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_pod", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host IPC namespace", + "reference_id": "accurics.kubernetes.IAM.37", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.38.json b/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.38.json new file mode 100755 index 000000000..bf2b65277 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.38.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostIpcIsTrue", + "file": "containerHostIpcIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_replicaset", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host IPC namespace", + "reference_id": "accurics.kubernetes.IAM.38", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.39.json b/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.39.json new file mode 100755 index 000000000..af05bd39f --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.39.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostIpcIsTrue", + "file": "containerHostIpcIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_replication_controller", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host IPC namespace", + "reference_id": "accurics.kubernetes.IAM.39", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.40.json b/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.40.json new file mode 100755 index 000000000..e859c01d5 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_ipc/accurics.kubernetes.IAM.40.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostIpcIsTrue", + "file": "containerHostIpcIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_stateful_set", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host IPC namespace", + "reference_id": "accurics.kubernetes.IAM.40", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_ipc/containerHostIpcIsTrue.rego b/pkg/policies/opa/rego/k8s/container_host_ipc/containerHostIpcIsTrue.rego new file mode 100644 index 000000000..3a26ef9ae --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_ipc/containerHostIpcIsTrue.rego @@ -0,0 +1,94 @@ +package accurics + +{{.prefix}}{{.name}}{{.suffix}}[api.id] { + {{- template "spec" . }} + spec.hostIPC == true +} + +{{.prefix}}{{.name}}{{.suffix}}[api.id] { + {{- template "specTF" . }} + specTF.host_ipc == true +} + +################################## +### Template definitions below ### +################################## +{{- define "api" }} + api = input.{{.resource_type}}[_] +{{- end}} + +# resolves path to the spec key +{{- define "spec" }} + {{- template "api" . }} + {{- if eq .resource_type "kubernetes_pod" }} + spec = api.config.spec + {{- else if eq .resource_type "kubernetes_pod_security_policy" }} + spec = api.config.spec + {{- else if eq .resource_type "kubernetes_cron_job" }} + spec = api.config.spec.jobTemplate.spec.template.spec + {{- else }} + spec = api.config.spec.template.spec + {{- end }} +{{- end }} + +# resolves path to the spec key for terraform-defined k8s resources +{{- define "specTF" }} + {{- template "api" . }} + {{- if eq .resource_type "kubernetes_pod" }} + specTF = api.config.spec + {{- else if eq .resource_type "kubernetes_pod_security_policy" }} + specTF = api.config.spec + {{- else if eq .resource_type "kubernetes_cron_job" }} + specTF = api.config.spec.job_template.spec.template.spec + {{- else }} + specTF = api.config.spec.template.spec + {{- end }} +{{- end }} + +# resolves path to the containers list +{{- define "containers" }} + {{- template "spec" . }} + containers = spec.containers[_] +{{- end }} + +# resolves path to the containers' security context +{{- define "containersSecurityContext" }} + {{- template "containers" . }} + containersSecurityContext = containers.securityContext +{{- end }} + +# resolves path to the containers list for terraform-defined k8s resources +{{- define "containersTF" }} + {{- template "specTF" . }} + containers = specTF.containers[_] +{{- end }} + +# resolves path to the containers' security context for terraform-defined k8s resources +{{- define "containersSecurityContextTF" }} + {{- template "containersTF" . }} + containersSecurityContextTF = containers.security_context +{{- end }} + +# resolves path to the initContainers list +{{- define "initContainers" }} + {{- template "spec" . }} + initContainers = spec.initContainers[_] +{{- end }} + +# resolves path to the initContainers' security context +{{- define "initContainersSecurityContext" }} + {{- template "initContainers" . }} + initContainersSecurityContext = initContainers.securityContext +{{- end }} + +# resolves path to the initContainers list for terraform-defined k8s resources +{{- define "initContainersTF" }} + {{- template "specTF" . }} + initContainersTF = specTF.init_containers[_] +{{- end }} + +# resolves path to the initContainers' security context for terraform-defined k8s resources +{{- define "initContainersSecurityContextTF" }} + {{- template "initContainersTF" . }} + initContainersSecurityContextTF = initContainersTF.security_context +{{- end }} diff --git a/pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.25.json b/pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.25.json new file mode 100755 index 000000000..0a6577a83 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.25.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostNetworkIsTrue", + "file": "containerHostNetworkIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_cron_job", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host network namespace", + "reference_id": "accurics.kubernetes.IAM.25", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.26.json b/pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.26.json new file mode 100755 index 000000000..7383c3599 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.26.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostNetworkIsTrue", + "file": "containerHostNetworkIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_daemonset", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host network namespace", + "reference_id": "accurics.kubernetes.IAM.26", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.27.json b/pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.27.json new file mode 100755 index 000000000..0fa003528 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.27.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostNetworkIsTrue", + "file": "containerHostNetworkIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_deployment", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host network namespace", + "reference_id": "accurics.kubernetes.IAM.27", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.28.json b/pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.28.json new file mode 100755 index 000000000..40e9ffee3 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.28.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostNetworkIsTrue", + "file": "containerHostNetworkIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_job", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host network namespace", + "reference_id": "accurics.kubernetes.IAM.28", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.29.json b/pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.29.json new file mode 100755 index 000000000..fa020e16c --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.29.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostNetworkIsTrue", + "file": "containerHostNetworkIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_pod", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host network namespace", + "reference_id": "accurics.kubernetes.IAM.29", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.30.json b/pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.30.json new file mode 100755 index 000000000..b361bc75e --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.30.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostNetworkIsTrue", + "file": "containerHostNetworkIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_replicaset", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host network namespace", + "reference_id": "accurics.kubernetes.IAM.30", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.31.json b/pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.31.json new file mode 100755 index 000000000..d01322cfe --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.31.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostNetworkIsTrue", + "file": "containerHostNetworkIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_replication_controller", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host network namespace", + "reference_id": "accurics.kubernetes.IAM.31", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.32.json b/pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.32.json new file mode 100755 index 000000000..089f5de1a --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.32.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostNetworkIsTrue", + "file": "containerHostNetworkIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_stateful_set", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host network namespace", + "reference_id": "accurics.kubernetes.IAM.32", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.33.json b/pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.33.json new file mode 100755 index 000000000..53113fe6c --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.33.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostNetworkIsTrue", + "file": "containerHostNetworkIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_pod_security_policy", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host network namespace", + "reference_id": "accurics.kubernetes.IAM.33", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.34.json b/pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.34.json new file mode 100755 index 000000000..5633e9ba2 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.34.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostNetworkIsTrue", + "file": "containerHostNetworkIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_replicaset", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host network namespace", + "reference_id": "accurics.kubernetes.IAM.34", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.35.json b/pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.35.json new file mode 100755 index 000000000..f1406cc01 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.35.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostNetworkIsTrue", + "file": "containerHostNetworkIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_replication_controller", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host network namespace", + "reference_id": "accurics.kubernetes.IAM.35", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.36.json b/pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.36.json new file mode 100755 index 000000000..74db5d4ed --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_network/accurics.kubernetes.IAM.36.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostNetworkIsTrue", + "file": "containerHostNetworkIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_stateful_set", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host network namespace", + "reference_id": "accurics.kubernetes.IAM.36", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_network/containerHostNetworkIsTrue.rego b/pkg/policies/opa/rego/k8s/container_host_network/containerHostNetworkIsTrue.rego new file mode 100644 index 000000000..3966c0e11 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_network/containerHostNetworkIsTrue.rego @@ -0,0 +1,94 @@ +package accurics + +{{.prefix}}{{.name}}{{.suffix}}[api.id] { + {{template "spec" . }} + spec.hostNetwork == true +} + +{{.prefix}}{{.name}}{{.suffix}}[api.id] { + {{template "specTF" . }} + specTF.host_network == true +} + +################################## +### Template definitions below ### +################################## +{{- define "api" }} + api = input.{{.resource_type}}[_] +{{- end}} + +# resolves path to the spec key +{{- define "spec" }} + {{- template "api" . }} + {{- if eq .resource_type "kubernetes_pod" }} + spec = api.config.spec + {{- else if eq .resource_type "kubernetes_pod_security_policy" }} + spec = api.config.spec + {{- else if eq .resource_type "kubernetes_cron_job" }} + spec = api.config.spec.jobTemplate.spec.template.spec + {{- else }} + spec = api.config.spec.template.spec + {{- end }} +{{- end }} + +# resolves path to the spec key for terraform-defined k8s resources +{{- define "specTF" }} + {{- template "api" . }} + {{- if eq .resource_type "kubernetes_pod" }} + specTF = api.config.spec + {{- else if eq .resource_type "kubernetes_pod_security_policy" }} + specTF = api.config.spec + {{- else if eq .resource_type "kubernetes_cron_job" }} + specTF = api.config.spec.job_template.spec.template.spec + {{- else }} + specTF = api.config.spec.template.spec + {{- end }} +{{- end }} + +# resolves path to the containers list +{{- define "containers" }} + {{- template "spec" . }} + containers = spec.containers[_] +{{- end }} + +# resolves path to the containers' security context +{{- define "containersSecurityContext" }} + {{- template "containers" . }} + containersSecurityContext = containers.securityContext +{{- end }} + +# resolves path to the containers list for terraform-defined k8s resources +{{- define "containersTF" }} + {{- template "specTF" . }} + containers = specTF.containers[_] +{{- end }} + +# resolves path to the containers' security context for terraform-defined k8s resources +{{- define "containersSecurityContextTF" }} + {{- template "containersTF" . }} + containersSecurityContextTF = containers.security_context +{{- end }} + +# resolves path to the initContainers list +{{- define "initContainers" }} + {{- template "spec" . }} + initContainers = spec.initContainers[_] +{{- end }} + +# resolves path to the initContainers' security context +{{- define "initContainersSecurityContext" }} + {{- template "initContainers" . }} + initContainersSecurityContext = initContainers.securityContext +{{- end }} + +# resolves path to the initContainers list for terraform-defined k8s resources +{{- define "initContainersTF" }} + {{- template "specTF" . }} + initContainersTF = specTF.init_containers[_] +{{- end }} + +# resolves path to the initContainers' security context for terraform-defined k8s resources +{{- define "initContainersSecurityContextTF" }} + {{- template "initContainersTF" . }} + initContainersSecurityContextTF = initContainersTF.security_context +{{- end }} diff --git a/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.33.json b/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.33.json new file mode 100755 index 000000000..53b782896 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.33.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostPidIsTrue", + "file": "containerHostPidIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_cron_job", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host process ID namespace", + "reference_id": "accurics.kubernetes.IAM.33", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.34.json b/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.34.json new file mode 100755 index 000000000..cf04235fd --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.34.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostPidIsTrue", + "file": "containerHostPidIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_daemonset", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host process ID namespace", + "reference_id": "accurics.kubernetes.IAM.34", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.35.json b/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.35.json new file mode 100755 index 000000000..8760f9bb7 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.35.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostPidIsTrue", + "file": "containerHostPidIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_deployment", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host process ID namespace", + "reference_id": "accurics.kubernetes.IAM.35", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.36.json b/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.36.json new file mode 100755 index 000000000..685036b86 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.36.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostPidIsTrue", + "file": "containerHostPidIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_job", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host process ID namespace", + "reference_id": "accurics.kubernetes.IAM.36", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.37.json b/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.37.json new file mode 100755 index 000000000..6c0c9962e --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.37.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostPidIsTrue", + "file": "containerHostPidIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_pod", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host process ID namespace", + "reference_id": "accurics.kubernetes.IAM.37", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.38.json b/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.38.json new file mode 100755 index 000000000..0b9a17bc0 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.38.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostPidIsTrue", + "file": "containerHostPidIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_replicaset", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host process ID namespace", + "reference_id": "accurics.kubernetes.IAM.38", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.39.json b/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.39.json new file mode 100755 index 000000000..ed69cdd5d --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.39.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostPidIsTrue", + "file": "containerHostPidIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_replication_controller", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host process ID namespace", + "reference_id": "accurics.kubernetes.IAM.39", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.40.json b/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.40.json new file mode 100755 index 000000000..130130c3d --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.40.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostPidIsTrue", + "file": "containerHostPidIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_stateful_set", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host process ID namespace", + "reference_id": "accurics.kubernetes.IAM.40", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.41.json b/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.41.json new file mode 100755 index 000000000..191208b75 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.41.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostPidIsTrue", + "file": "containerHostPidIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_pod", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host process ID namespace", + "reference_id": "accurics.kubernetes.IAM.41", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.42.json b/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.42.json new file mode 100755 index 000000000..052ce7236 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.42.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostPidIsTrue", + "file": "containerHostPidIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_pod_security_policy", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host process ID namespace", + "reference_id": "accurics.kubernetes.IAM.42", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.43.json b/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.43.json new file mode 100755 index 000000000..33f18a23b --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.43.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostPidIsTrue", + "file": "containerHostPidIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_replicaset", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host process ID namespace", + "reference_id": "accurics.kubernetes.IAM.43", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.44.json b/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.44.json new file mode 100755 index 000000000..d6c1c634a --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.44.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostPidIsTrue", + "file": "containerHostPidIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_replication_controller", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host process ID namespace", + "reference_id": "accurics.kubernetes.IAM.44", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.45.json b/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.45.json new file mode 100755 index 000000000..4b9a05107 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_pid/accurics.kubernetes.IAM.45.json @@ -0,0 +1,14 @@ +{ + "name": "containerHostPidIsTrue", + "file": "containerHostPidIsTrue.rego", + "template_args": { + "prefix": "", + "resource_type": "kubernetes_stateful_set", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Minimize the admission of containers wishing to share the host process ID namespace", + "reference_id": "accurics.kubernetes.IAM.45", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_host_pid/containerHostPidIsTrue.rego b/pkg/policies/opa/rego/k8s/container_host_pid/containerHostPidIsTrue.rego new file mode 100644 index 000000000..ec586185e --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_host_pid/containerHostPidIsTrue.rego @@ -0,0 +1,95 @@ +package accurics + +{{.prefix}}{{.name}}{{.suffix}}[api.id] { + {{- template "spec" . }} + spec.hostPID == true +} + +{{.prefix}}{{.name}}{{.suffix}}[api.id] { + {{- template "specTF" . }} + specTF.host_pid == true +} + + +################################## +### Template definitions below ### +################################## +{{- define "api" }} + api = input.{{.resource_type}}[_] +{{- end}} + +# resolves path to the spec key +{{- define "spec" }} + {{- template "api" . }} + {{- if eq .resource_type "kubernetes_pod" }} + spec = api.config.spec + {{- else if eq .resource_type "kubernetes_pod_security_policy" }} + spec = api.config.spec + {{- else if eq .resource_type "kubernetes_cron_job" }} + spec = api.config.spec.jobTemplate.spec.template.spec + {{- else }} + spec = api.config.spec.template.spec + {{- end }} +{{- end }} + +# resolves path to the spec key for terraform-defined k8s resources +{{- define "specTF" }} + {{- template "api" . }} + {{- if eq .resource_type "kubernetes_pod" }} + specTF = api.config.spec + {{- else if eq .resource_type "kubernetes_pod_security_policy" }} + specTF = api.config.spec + {{- else if eq .resource_type "kubernetes_cron_job" }} + specTF = api.config.spec.job_template.spec.template.spec + {{- else }} + specTF = api.config.spec.template.spec + {{- end }} +{{- end }} + +# resolves path to the containers list +{{- define "containers" }} + {{- template "spec" . }} + containers = spec.containers[_] +{{- end }} + +# resolves path to the containers' security context +{{- define "containersSecurityContext" }} + {{- template "containers" . }} + containersSecurityContext = containers.securityContext +{{- end }} + +# resolves path to the containers list for terraform-defined k8s resources +{{- define "containersTF" }} + {{- template "specTF" . }} + containers = specTF.containers[_] +{{- end }} + +# resolves path to the containers' security context for terraform-defined k8s resources +{{- define "containersSecurityContextTF" }} + {{- template "containersTF" . }} + containersSecurityContextTF = containers.security_context +{{- end }} + +# resolves path to the initContainers list +{{- define "initContainers" }} + {{- template "spec" . }} + initContainers = spec.initContainers[_] +{{- end }} + +# resolves path to the initContainers' security context +{{- define "initContainersSecurityContext" }} + {{- template "initContainers" . }} + initContainersSecurityContext = initContainers.securityContext +{{- end }} + +# resolves path to the initContainers list for terraform-defined k8s resources +{{- define "initContainersTF" }} + {{- template "specTF" . }} + initContainersTF = specTF.init_containers[_] +{{- end }} + +# resolves path to the initContainers' security context for terraform-defined k8s resources +{{- define "initContainersSecurityContextTF" }} + {{- template "initContainersTF" . }} + initContainersSecurityContextTF = initContainersTF.security_context +{{- end }} diff --git a/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.41.json b/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.41.json new file mode 100755 index 000000000..976f2104f --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.41.json @@ -0,0 +1,15 @@ +{ + "name": "containerReadOnlyRootFilesystemIsFalse", + "file": "containerReadOnlyRootFilesystemIsFalse.rego", + "template_args": { + "is_init": false, + "prefix": "", + "resource_type": "kubernetes_cron_job", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Container's root filesystem is not read-only", + "reference_id": "accurics.kubernetes.IAM.41", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.42.json b/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.42.json new file mode 100755 index 000000000..1761369aa --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.42.json @@ -0,0 +1,15 @@ +{ + "name": "containerReadOnlyRootFilesystemIsFalse", + "file": "containerReadOnlyRootFilesystemIsFalse.rego", + "template_args": { + "is_init": false, + "prefix": "", + "resource_type": "kubernetes_daemonset", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Container's root filesystem is not read-only", + "reference_id": "accurics.kubernetes.IAM.42", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.43.json b/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.43.json new file mode 100755 index 000000000..24c848cdb --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.43.json @@ -0,0 +1,15 @@ +{ + "name": "containerReadOnlyRootFilesystemIsFalse", + "file": "containerReadOnlyRootFilesystemIsFalse.rego", + "template_args": { + "is_init": false, + "prefix": "", + "resource_type": "kubernetes_deployment", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Container's root filesystem is not read-only", + "reference_id": "accurics.kubernetes.IAM.43", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.44.json b/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.44.json new file mode 100755 index 000000000..29fbd19b5 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.44.json @@ -0,0 +1,15 @@ +{ + "name": "containerReadOnlyRootFilesystemIsFalse", + "file": "containerReadOnlyRootFilesystemIsFalse.rego", + "template_args": { + "is_init": false, + "prefix": "", + "resource_type": "kubernetes_job", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Container's root filesystem is not read-only", + "reference_id": "accurics.kubernetes.IAM.44", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.45.json b/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.45.json new file mode 100755 index 000000000..f1197cab6 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.45.json @@ -0,0 +1,15 @@ +{ + "name": "containerReadOnlyRootFilesystemIsFalse", + "file": "containerReadOnlyRootFilesystemIsFalse.rego", + "template_args": { + "is_init": false, + "prefix": "", + "resource_type": "kubernetes_pod", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Container's root filesystem is not read-only", + "reference_id": "accurics.kubernetes.IAM.45", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.46.json b/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.46.json new file mode 100755 index 000000000..e1bc81390 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.46.json @@ -0,0 +1,15 @@ +{ + "name": "containerReadOnlyRootFilesystemIsFalse", + "file": "containerReadOnlyRootFilesystemIsFalse.rego", + "template_args": { + "is_init": false, + "prefix": "", + "resource_type": "kubernetes_replicaset", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Container's root filesystem is not read-only", + "reference_id": "accurics.kubernetes.IAM.46", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.47.json b/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.47.json new file mode 100755 index 000000000..589da7e6a --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.47.json @@ -0,0 +1,15 @@ +{ + "name": "containerReadOnlyRootFilesystemIsFalse", + "file": "containerReadOnlyRootFilesystemIsFalse.rego", + "template_args": { + "is_init": false, + "prefix": "", + "resource_type": "kubernetes_replication_controller", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Container's root filesystem is not read-only", + "reference_id": "accurics.kubernetes.IAM.47", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.48.json b/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.48.json new file mode 100755 index 000000000..9c37dc79e --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.48.json @@ -0,0 +1,15 @@ +{ + "name": "containerReadOnlyRootFilesystemIsFalse", + "file": "containerReadOnlyRootFilesystemIsFalse.rego", + "template_args": { + "is_init": false, + "prefix": "", + "resource_type": "kubernetes_stateful_set", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Container's root filesystem is not read-only", + "reference_id": "accurics.kubernetes.IAM.48", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.49.json b/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.49.json new file mode 100755 index 000000000..305418659 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.49.json @@ -0,0 +1,15 @@ +{ + "name": "containerReadOnlyRootFilesystemIsFalse", + "file": "containerReadOnlyRootFilesystemIsFalse.rego", + "template_args": { + "is_init": true, + "prefix": "", + "resource_type": "kubernetes_cron_job", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Container's root filesystem is not read-only", + "reference_id": "accurics.kubernetes.IAM.49", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.50.json b/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.50.json new file mode 100755 index 000000000..7dd79ad20 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.50.json @@ -0,0 +1,15 @@ +{ + "name": "containerReadOnlyRootFilesystemIsFalse", + "file": "containerReadOnlyRootFilesystemIsFalse.rego", + "template_args": { + "is_init": true, + "prefix": "", + "resource_type": "kubernetes_daemonset", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Container's root filesystem is not read-only", + "reference_id": "accurics.kubernetes.IAM.50", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.51.json b/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.51.json new file mode 100755 index 000000000..c35eb4f00 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.51.json @@ -0,0 +1,15 @@ +{ + "name": "containerReadOnlyRootFilesystemIsFalse", + "file": "containerReadOnlyRootFilesystemIsFalse.rego", + "template_args": { + "is_init": true, + "prefix": "", + "resource_type": "kubernetes_deployment", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Container's root filesystem is not read-only", + "reference_id": "accurics.kubernetes.IAM.51", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.52.json b/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.52.json new file mode 100755 index 000000000..f219b9ed0 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.52.json @@ -0,0 +1,15 @@ +{ + "name": "containerReadOnlyRootFilesystemIsFalse", + "file": "containerReadOnlyRootFilesystemIsFalse.rego", + "template_args": { + "is_init": true, + "prefix": "", + "resource_type": "kubernetes_job", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Container's root filesystem is not read-only", + "reference_id": "accurics.kubernetes.IAM.52", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.53.json b/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.53.json new file mode 100755 index 000000000..c8933aa66 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.53.json @@ -0,0 +1,15 @@ +{ + "name": "containerReadOnlyRootFilesystemIsFalse", + "file": "containerReadOnlyRootFilesystemIsFalse.rego", + "template_args": { + "is_init": true, + "prefix": "", + "resource_type": "kubernetes_pod", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Container's root filesystem is not read-only", + "reference_id": "accurics.kubernetes.IAM.53", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.54.json b/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.54.json new file mode 100755 index 000000000..eedabc123 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.54.json @@ -0,0 +1,15 @@ +{ + "name": "containerReadOnlyRootFilesystemIsFalse", + "file": "containerReadOnlyRootFilesystemIsFalse.rego", + "template_args": { + "is_init": true, + "prefix": "", + "resource_type": "kubernetes_replicaset", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Container's root filesystem is not read-only", + "reference_id": "accurics.kubernetes.IAM.54", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.55.json b/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.55.json new file mode 100755 index 000000000..83896b5d5 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.55.json @@ -0,0 +1,15 @@ +{ + "name": "containerReadOnlyRootFilesystemIsFalse", + "file": "containerReadOnlyRootFilesystemIsFalse.rego", + "template_args": { + "is_init": true, + "prefix": "", + "resource_type": "kubernetes_replication_controller", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Container's root filesystem is not read-only", + "reference_id": "accurics.kubernetes.IAM.55", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.56.json b/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.56.json new file mode 100755 index 000000000..6c0ee16d8 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/accurics.kubernetes.IAM.56.json @@ -0,0 +1,15 @@ +{ + "name": "containerReadOnlyRootFilesystemIsFalse", + "file": "containerReadOnlyRootFilesystemIsFalse.rego", + "template_args": { + "is_init": true, + "prefix": "", + "resource_type": "kubernetes_stateful_set", + "suffix": "" + }, + "severity": "MEDIUM", + "description": "Container's root filesystem is not read-only", + "reference_id": "accurics.kubernetes.IAM.56", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/containerReadOnlyRootFilesystemIsFalse.rego b/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/containerReadOnlyRootFilesystemIsFalse.rego new file mode 100644 index 000000000..f904d5003 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_read_only_root_filesystem/containerReadOnlyRootFilesystemIsFalse.rego @@ -0,0 +1,110 @@ +package accurics + +{{- if eq .is_init true }} + +{{.prefix}}{{.name}}{{.suffix}}[api.id] { + {{- template "initContainers" . }} + initContainers.readOnlyRootFilesystem == false +} + +{{.prefix}}{{.name}}{{.suffix}}[api.id] { + {{- template "initContainersTF" . }} + initContainersTF.read_only_root_filesystem == false +} + +{{- else }} + +{{.prefix}}{{.name}}{{.suffix}}[api.id] { + {{- template "containers" . }} + containers.readOnlyRootFilesystem == false +} + +{{.prefix}}{{.name}}{{.suffix}}[api.id] { + {{- template "containersTF" . }} + containersTF.read_only_root_filesystem == false +} + +{{- end }} + +################################## +### Template definitions below ### +################################## +{{- define "api" }} + api = input.{{.resource_type}}[_] +{{- end}} + +# resolves path to the spec key +{{- define "spec" }} + {{- template "api" . }} + {{- if eq .resource_type "kubernetes_pod" }} + spec = api.config.spec + {{- else if eq .resource_type "kubernetes_pod_security_policy" }} + spec = api.config.spec + {{- else if eq .resource_type "kubernetes_cron_job" }} + spec = api.config.spec.jobTemplate.spec.template.spec + {{- else }} + spec = api.config.spec.template.spec + {{- end }} +{{- end }} + +# resolves path to the spec key for terraform-defined k8s resources +{{- define "specTF" }} + {{- template "api" . }} + {{- if eq .resource_type "kubernetes_pod" }} + specTF = api.config.spec + {{- else if eq .resource_type "kubernetes_pod_security_policy" }} + specTF = api.config.spec + {{- else if eq .resource_type "kubernetes_cron_job" }} + specTF = api.config.spec.job_template.spec.template.spec + {{- else }} + specTF = api.config.spec.template.spec + {{- end }} +{{- end }} + +# resolves path to the containers list +{{- define "containers" }} + {{- template "spec" . }} + containers = spec.containers[_] +{{- end }} + +# resolves path to the containers' security context +{{- define "containersSecurityContext" }} + {{- template "containers" . }} + containersSecurityContext = containers.securityContext +{{- end }} + +# resolves path to the containers list for terraform-defined k8s resources +{{- define "containersTF" }} + {{- template "specTF" . }} + containersTF = specTF.containers[_] +{{- end }} + +# resolves path to the containers' security context for terraform-defined k8s resources +{{- define "containersSecurityContextTF" }} + {{- template "containersTF" . }} + containersSecurityContextTF = containers.security_context +{{- end }} + +# resolves path to the initContainers list +{{- define "initContainers" }} + {{- template "spec" . }} + initContainers = spec.initContainers[_] +{{- end }} + +# resolves path to the initContainers' security context +{{- define "initContainersSecurityContext" }} + {{- template "initContainers" . }} + initContainersSecurityContext = initContainers.securityContext +{{- end }} + +# resolves path to the initContainers list for terraform-defined k8s resources +{{- define "initContainersTF" }} + {{- template "specTF" . }} + initContainersTF = specTF.init_containers[_] +{{- end }} + +# resolves path to the initContainers' security context for terraform-defined k8s resources +{{- define "initContainersSecurityContextTF" }} + {{- template "initContainersTF" . }} + initContainersSecurityContextTF = initContainersTF.security_context +{{- end }} diff --git a/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.57.json b/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.57.json new file mode 100755 index 000000000..f079a5ab7 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.57.json @@ -0,0 +1,15 @@ +{ + "name": "containerUsesSecretsInEnvironmentVar", + "file": "containerUsesSecretsInEnvironmentVar.rego", + "template_args": { + "is_init": false, + "prefix": "", + "resource_type": "kubernetes_cron_job", + "suffix": "" + }, + "severity": "HIGH", + "description": "Container uses secrets in environment variables", + "reference_id": "accurics.kubernetes.EKM.57", + "category": "Encryption and Key Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.58.json b/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.58.json new file mode 100755 index 000000000..5782805f9 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.58.json @@ -0,0 +1,15 @@ +{ + "name": "containerUsesSecretsInEnvironmentVar", + "file": "containerUsesSecretsInEnvironmentVar.rego", + "template_args": { + "is_init": false, + "prefix": "", + "resource_type": "kubernetes_daemonset", + "suffix": "" + }, + "severity": "HIGH", + "description": "Container uses secrets in environment variables", + "reference_id": "accurics.kubernetes.EKM.58", + "category": "Encryption and Key Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.59.json b/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.59.json new file mode 100755 index 000000000..c57f57c8a --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.59.json @@ -0,0 +1,15 @@ +{ + "name": "containerUsesSecretsInEnvironmentVar", + "file": "containerUsesSecretsInEnvironmentVar.rego", + "template_args": { + "is_init": false, + "prefix": "", + "resource_type": "kubernetes_deployment", + "suffix": "" + }, + "severity": "HIGH", + "description": "Container uses secrets in environment variables", + "reference_id": "accurics.kubernetes.EKM.59", + "category": "Encryption and Key Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.60.json b/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.60.json new file mode 100755 index 000000000..612247dbb --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.60.json @@ -0,0 +1,15 @@ +{ + "name": "containerUsesSecretsInEnvironmentVar", + "file": "containerUsesSecretsInEnvironmentVar.rego", + "template_args": { + "is_init": false, + "prefix": "", + "resource_type": "kubernetes_job", + "suffix": "" + }, + "severity": "HIGH", + "description": "Container uses secrets in environment variables", + "reference_id": "accurics.kubernetes.EKM.60", + "category": "Encryption and Key Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.61.json b/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.61.json new file mode 100755 index 000000000..4a101e0a5 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.61.json @@ -0,0 +1,15 @@ +{ + "name": "containerUsesSecretsInEnvironmentVar", + "file": "containerUsesSecretsInEnvironmentVar.rego", + "template_args": { + "is_init": false, + "prefix": "", + "resource_type": "kubernetes_pod", + "suffix": "" + }, + "severity": "HIGH", + "description": "Container uses secrets in environment variables", + "reference_id": "accurics.kubernetes.EKM.61", + "category": "Encryption and Key Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.62.json b/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.62.json new file mode 100755 index 000000000..6637ea307 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.62.json @@ -0,0 +1,15 @@ +{ + "name": "containerUsesSecretsInEnvironmentVar", + "file": "containerUsesSecretsInEnvironmentVar.rego", + "template_args": { + "is_init": false, + "prefix": "", + "resource_type": "kubernetes_replicaset", + "suffix": "" + }, + "severity": "HIGH", + "description": "Container uses secrets in environment variables", + "reference_id": "accurics.kubernetes.EKM.62", + "category": "Encryption and Key Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.63.json b/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.63.json new file mode 100755 index 000000000..6caad5ad2 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.63.json @@ -0,0 +1,15 @@ +{ + "name": "containerUsesSecretsInEnvironmentVar", + "file": "containerUsesSecretsInEnvironmentVar.rego", + "template_args": { + "is_init": false, + "prefix": "", + "resource_type": "kubernetes_replication_controller", + "suffix": "" + }, + "severity": "HIGH", + "description": "Container uses secrets in environment variables", + "reference_id": "accurics.kubernetes.EKM.63", + "category": "Encryption and Key Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.64.json b/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.64.json new file mode 100755 index 000000000..1e259ce23 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.64.json @@ -0,0 +1,15 @@ +{ + "name": "containerUsesSecretsInEnvironmentVar", + "file": "containerUsesSecretsInEnvironmentVar.rego", + "template_args": { + "is_init": false, + "prefix": "", + "resource_type": "kubernetes_stateful_set", + "suffix": "" + }, + "severity": "HIGH", + "description": "Container uses secrets in environment variables", + "reference_id": "accurics.kubernetes.EKM.64", + "category": "Encryption and Key Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.65.json b/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.65.json new file mode 100755 index 000000000..a9416462d --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.65.json @@ -0,0 +1,15 @@ +{ + "name": "containerUsesSecretsInEnvironmentVar", + "file": "containerUsesSecretsInEnvironmentVar.rego", + "template_args": { + "is_init": true, + "prefix": "", + "resource_type": "kubernetes_cron_job", + "suffix": "" + }, + "severity": "HIGH", + "description": "Container uses secrets in environment variables", + "reference_id": "accurics.kubernetes.EKM.65", + "category": "Encryption and Key Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.66.json b/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.66.json new file mode 100755 index 000000000..092d8d2a0 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.66.json @@ -0,0 +1,15 @@ +{ + "name": "containerUsesSecretsInEnvironmentVar", + "file": "containerUsesSecretsInEnvironmentVar.rego", + "template_args": { + "is_init": true, + "prefix": "", + "resource_type": "kubernetes_daemonset", + "suffix": "" + }, + "severity": "HIGH", + "description": "Container uses secrets in environment variables", + "reference_id": "accurics.kubernetes.EKM.66", + "category": "Encryption and Key Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.67.json b/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.67.json new file mode 100755 index 000000000..39d1101c2 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.67.json @@ -0,0 +1,15 @@ +{ + "name": "containerUsesSecretsInEnvironmentVar", + "file": "containerUsesSecretsInEnvironmentVar.rego", + "template_args": { + "is_init": true, + "prefix": "", + "resource_type": "kubernetes_deployment", + "suffix": "" + }, + "severity": "HIGH", + "description": "Container uses secrets in environment variables", + "reference_id": "accurics.kubernetes.EKM.67", + "category": "Encryption and Key Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.68.json b/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.68.json new file mode 100755 index 000000000..4cb38c74b --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.68.json @@ -0,0 +1,15 @@ +{ + "name": "containerUsesSecretsInEnvironmentVar", + "file": "containerUsesSecretsInEnvironmentVar.rego", + "template_args": { + "is_init": true, + "prefix": "", + "resource_type": "kubernetes_job", + "suffix": "" + }, + "severity": "HIGH", + "description": "Container uses secrets in environment variables", + "reference_id": "accurics.kubernetes.EKM.68", + "category": "Encryption and Key Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.69.json b/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.69.json new file mode 100755 index 000000000..15f21c174 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.69.json @@ -0,0 +1,15 @@ +{ + "name": "containerUsesSecretsInEnvironmentVar", + "file": "containerUsesSecretsInEnvironmentVar.rego", + "template_args": { + "is_init": true, + "prefix": "", + "resource_type": "kubernetes_pod", + "suffix": "" + }, + "severity": "HIGH", + "description": "Container uses secrets in environment variables", + "reference_id": "accurics.kubernetes.EKM.69", + "category": "Encryption and Key Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.70.json b/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.70.json new file mode 100755 index 000000000..642dab2bd --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.70.json @@ -0,0 +1,15 @@ +{ + "name": "containerUsesSecretsInEnvironmentVar", + "file": "containerUsesSecretsInEnvironmentVar.rego", + "template_args": { + "is_init": true, + "prefix": "", + "resource_type": "kubernetes_replicaset", + "suffix": "" + }, + "severity": "HIGH", + "description": "Container uses secrets in environment variables", + "reference_id": "accurics.kubernetes.EKM.70", + "category": "Encryption and Key Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.71.json b/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.71.json new file mode 100755 index 000000000..c50c1d323 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.71.json @@ -0,0 +1,15 @@ +{ + "name": "containerUsesSecretsInEnvironmentVar", + "file": "containerUsesSecretsInEnvironmentVar.rego", + "template_args": { + "is_init": true, + "prefix": "", + "resource_type": "kubernetes_replication_controller", + "suffix": "" + }, + "severity": "HIGH", + "description": "Container uses secrets in environment variables", + "reference_id": "accurics.kubernetes.EKM.71", + "category": "Encryption and Key Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.72.json b/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.72.json new file mode 100755 index 000000000..f7cc0ac53 --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/accurics.kubernetes.EKM.72.json @@ -0,0 +1,15 @@ +{ + "name": "containerUsesSecretsInEnvironmentVar", + "file": "containerUsesSecretsInEnvironmentVar.rego", + "template_args": { + "is_init": true, + "prefix": "", + "resource_type": "kubernetes_stateful_set", + "suffix": "" + }, + "severity": "HIGH", + "description": "Container uses secrets in environment variables", + "reference_id": "accurics.kubernetes.EKM.72", + "category": "Encryption and Key Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/containerUsesSecretsInEnvironmentVar.rego b/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/containerUsesSecretsInEnvironmentVar.rego new file mode 100644 index 000000000..f1d9d63db --- /dev/null +++ b/pkg/policies/opa/rego/k8s/container_uses_secrets_in_env/containerUsesSecretsInEnvironmentVar.rego @@ -0,0 +1,114 @@ +package accurics + +{{- if eq .is_init true }} + +{{.prefix}}{{.name}}{{.suffix}}[api.id] { + {{- template "initContainers" . }} + envVars := initContainers.env[_] + envVars.valueFrom.secretKeyRef +} + +{{.prefix}}{{.name}}{{.suffix}}[api.id] { + {{- template "initContainersTF" . }} + envVars := initContainersTF.env[_] + envVars.valueFrom.secretKeyRef +} + +{{- else }} + +{{.prefix}}{{.name}}{{.suffix}}[api.id] { + {{- template "containers" . }} + envVars := containers.env[_] + envVars.valueFrom.secretKeyRef +} + +{{.prefix}}{{.name}}{{.suffix}}[api.id] { + {{- template "containersTF" . }} + envVars := containersTF.env[_] + envVars.valueFrom.secretKeyRef +} + +{{- end }} + +################################## +### Template definitions below ### +################################## +{{- define "api" }} + api = input.{{.resource_type}}[_] +{{- end}} + +# resolves path to the spec key +{{- define "spec" }} + {{- template "api" . }} + {{- if eq .resource_type "kubernetes_pod" }} + spec = api.config.spec + {{- else if eq .resource_type "kubernetes_pod_security_policy" }} + spec = api.config.spec + {{- else if eq .resource_type "kubernetes_cron_job" }} + spec = api.config.spec.jobTemplate.spec.template.spec + {{- else }} + spec = api.config.spec.template.spec + {{- end }} +{{- end }} + +# resolves path to the spec key for terraform-defined k8s resources +{{- define "specTF" }} + {{- template "api" . }} + {{- if eq .resource_type "kubernetes_pod" }} + specTF = api.config.spec + {{- else if eq .resource_type "kubernetes_pod_security_policy" }} + specTF = api.config.spec + {{- else if eq .resource_type "kubernetes_cron_job" }} + specTF = api.config.spec.job_template.spec.template.spec + {{- else }} + specTF = api.config.spec.template.spec + {{- end }} +{{- end }} + +# resolves path to the containers list +{{- define "containers" }} + {{- template "spec" . }} + containers = spec.containers[_] +{{- end }} + +# resolves path to the containers' security context +{{- define "containersSecurityContext" }} + {{- template "containers" . }} + containersSecurityContext = containers.securityContext +{{- end }} + +# resolves path to the containers list for terraform-defined k8s resources +{{- define "containersTF" }} + {{- template "specTF" . }} + containersTF = specTF.containers[_] +{{- end }} + +# resolves path to the containers' security context for terraform-defined k8s resources +{{- define "containersSecurityContextTF" }} + {{- template "containersTF" . }} + containersSecurityContextTF = containers.security_context +{{- end }} + +# resolves path to the initContainers list +{{- define "initContainers" }} + {{- template "spec" . }} + initContainers = spec.initContainers[_] +{{- end }} + +# resolves path to the initContainers' security context +{{- define "initContainersSecurityContext" }} + {{- template "initContainers" . }} + initContainersSecurityContext = initContainers.securityContext +{{- end }} + +# resolves path to the initContainers list for terraform-defined k8s resources +{{- define "initContainersTF" }} + {{- template "specTF" . }} + initContainersTF = specTF.init_containers[_] +{{- end }} + +# resolves path to the initContainers' security context for terraform-defined k8s resources +{{- define "initContainersSecurityContextTF" }} + {{- template "initContainersTF" . }} + initContainersSecurityContextTF = initContainersTF.security_context +{{- end }}